A malware framework that remained hidden for years has been discovered by security researchers at Cisco Talos.
The researchers were hunting for samples of DarkNimbus, a backdoor linked to the MOONSHINE exploit kit which have both been known about since 2023, , when they found a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework they had never seen before.
Cisco Talos researchers have shared technical details about this framework, which they dubbed DKnife, in a new report published on February 5.
Used since at least 2019 and still active in January 2026, DKnife targets Chinese-speaking users and the Talos researchers assessed “with high confidence” that it was made by Chinese-nexus threat actors.
This assessment is based on “the language used in the code, configuration files and the ShadowPad malware delivered in the campaign.
The researchers also discovered overlaps in DKnife’s infrastructure and a campaign delivering WizardNet, a modular backdoor known to be delivered by Spellbinder, a different AiTM framework, suggesting a shared development or operational lineage.
DKnife is a Linux-based (x86-64) framework designed for gateway-level attacks, enabling operators to monitor, manipulate and hijack network traffic on compromised routers or edge devices.
It is made up of seven executable and linkable format (ELF) binaries that operate together to carry out deep packet inspection (DPI), traffic interception and malicious payload delivery.
The framework is designed for Linux-based firmware, especially systems running CentOS or Red Hat Enterprise Linux and includes support for point-to-point protocol over ethernet (PPPoE), virtual local area network (VLAN) tagging and bridged interfaces. This makes it particularly effective for exploiting routers and similar network devices.
The framework performs several key functions including serving command and control (C2) updates for backdoors such as DarkNimbus and ShadowPad.
It also enables domain name system (DNS) hijacking and the interception of legitimate downloads for Android applications and Windows binaries to substitute them with malicious payloads.
DKnife can disrupt traffic from security products like antivirus updates and exfiltrate user activity to remote C2 servers. Its modular architecture and phishing templates allow for both covert monitoring and active in-line attacks which makes it a powerful tool for maintaining persistent access to compromised networks.
“Overall, the evidence suggests a well-integrated and evolving toolchain of AitM frameworks and backdoors, underscoring the need for continuous visibility and monitoring of routers and edge infrastructure,” the Talos researchers concluded.
